[Samba] Realm trust between Samba AD and MIT kerberos realm

Alex Moore alex at lspeed.org
Mon Jan 14 14:14:00 UTC 2019 

I have now tried demoting the Windows 2008 R2 DC, and it seems the realm 
trust no longer works after doing so.

Which brings me back to my main question: Am I correct in thinking realm 
trusts aren't currently expected to work, and if so are there any plans 
to add support for them? Otherwise, if this ought to be possible 
already, is anyone able to advise on what I might be missing?

Thanks a lot,
Alex

On 10/01/2019 23:11, Alex Moore via samba wrote:
> Hi all,
>
> I was hoping to setup a realm trust between a Samba AD domain and a 
> kerberos realm running mit-krb5, however it looks like that isn't 
> currently supported. Is that correct, or am I missing something (I'm 
> running Samba 4.9.4)?
>
> Having noticed that "samba-tool domain trust" only seems to cater for 
> trusts involving other AD domains, I tried to workaround that (in the 
> hope that perhaps the limitation is only in the CLI tools) by 
> promoting a Windows 2008 R2 system to a DC in my otherwise Samba-based 
> AD environment, to see if I could use that to get the realm trust in 
> place. That seems to have at least half worked... I found that I 
> needed to temporarily move the PDC Emulator role to the Windows 2008 
> R2 DC, after which it was then possible to use the GUI tools (ie 
> Active Directory Domains and Trusts) to create a kerberos realm trust. 
> For the record I created a non-transitive outgoing realm trust from AD 
> to the MIT kerberos realm. The resulting kerberos realm trust does 
> appear to function correctly, although perhaps that's not saying much 
> because I haven't yet tried demoting the Windows 2008 R2 DC to see 
> whether the realm trust continues to function once there are only 
> Samba DCs remaining (I will test that soon...). At least "samba-tool 
> domain trust list/show" do present sensible information:
>
> # samba-tool domain trust list
> Type[External] Transitive[No]  Direction[OUTGOING] Name[KRB.REALM]
>
> # samba-tool domain trust show KRB.REALM
> LocalDomain Netbios[AD] DNS[ad.domain] 
> SID[S-1-5-21-611510720-3146064378-2947260547]
> TrustedDomain:
>
> NetbiosName:    KRB.REALM
> SID:            None
> Type:           0x3 (MIT)
> Direction:      0x2 (OUTBOUND)
> Attributes:     0x1 (NON_TRANSITIVE)
> PosixOffset:    0x00000000 (0)
> kerb_EncTypes:  0x18 (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)
>
> However I have already noticed one thing that is broken... if I 
> restart samba on the Samba DC after creating the realm trust, winbind 
> immediately dies with the following (and I can't see a workaround - 
> meaning this isn't a viable deployment even if the trust would 
> otherwise continue to work after demoting the Windows DC, as it would 
> stop working as soon as samba is next restarted):
>
> [2019/01/10 20:17:59.578186,  0] 
> ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
>   initialize_winbindd_cache: clearing cache and re-creating with 
> version number 2
> [2019/01/10 20:17:59.585080,  0] 
> ../source3/winbindd/winbindd_util.c:131(add_trusted_domain)
>   add_trusted_domain: Got null SID for domain [KRB.REALM]
> [2019/01/10 20:17:59.585114,  0] 
> ../source3/winbindd/winbindd_util.c:1245(init_domain_list)
>   init_domain_list: init_domain_list_dc failed
> [2019/01/10 20:17:59.585138,  0] 
> ../source3/winbindd/winbindd.c:1454(winbindd_register_handlers)
>   unable to initialize domain list
>
> So - is there any chance of getting support for kerberos realm trusts 
> added to Samba? Perhaps I am being naive here, but I'm hoping that 
> presumably realm trusts are much simpler than other AD trust types 
> (since they're purely kerberos - no need to deal with SIDs and other 
> such complexities), to the extent that I imagine they only require a 
> subset of the code that has already been implemented for the other 
> trust types.
>
> Thanks
> Alex
>
>

More information about the samba mailing list